Can hotel room key cards be hacked?
F-Secure Cyber Security Services, a cybersecurity company announced recently that hotel rooms fitted with electronic locks by Assa Abloy, the world’s largest lock manufacturer, could have been ‘hacked’ to gain access to any room.
About a decade ago, an employee of F-Secure Cyber Security Services whilst attending a security conference, had his laptop was stolen from his hotel room. When he reported the theft, the hotel rejected his complaint on the grounds that there were no signs of any forced entry and room entry records of the hotel’s electronic lock system did not any evidence of unauthorised access to the room. This incident triggered the interest of researchers Timo Hirvonen and Tomi Tuominen at cybersecurity firm F-Secure who decided to carry out further investigations into this matter. The research took several thousand hours and was done on an on-and-off basis, and involved considerable trial and error.“”We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” said Timo Hirvonen in a public statement.
The investigation resulted in the discovery that electronic room keys at hotels worldwide can be hacked. In other words, hotels including international hotel chains, using an electronic lock system were vulnerable to exploitation by a hacker to gain unlawful entry to any room in the hotel.
When investigating the issue, researchers chose to target a brand of lock known for quality and security - namely lock system software known as Vision by VingCard which is in use in millions of hotel rooms worldwide. The researchers revealed that the hack involved the following steps: Identify a facility, find a used key card (one that had expired or discarded), combine a cheap piece of hardware with custom-built software to read the card, search and unearth for the master key code and copy this master key information onto a new or existing card. Using this method the two researchers were able to gain access to a room within a minute.
After successfully bypassing the electronic lock system, F-Secure notified Assa Abloy of their findings and over the past year collaborated with the lock-maker to help develop software fixes. Assa Abloy have since early 2018 rolled out updates to fix all the identified vulnerabilities - although as to how many affected hotels have actually implemented the change in a timely manner is an unknown. Installing the updates is both labour intensive and time-consuming since one would need to first update the backend software and thereafter go to each and every lock to update the lock firmware.
A spokesman for the world famous lock-maker downplayed the risks to hotel rooms using their software by commenting that “the product in question Vision Software was 20 years old and it took two employees at F-secure thousands of hours of intensive work to compromise it, going on to add that these old locks represent only a fraction of those in use and are rapidly replaced with new technology.
So, should we be worried about hotel room security? To keep things in perspective, the hack was carried out by a security company and took over ten years and thousands of hours to perpetrate. Would hackers even if possessing the ability and tons of time on their hands not spend it on stealing something with higher gains than a hotel room heist?
The findings however sparked a debate about whether electronic locking systems are actually better than the conventional deadlatch on doors. With the advent of fingerprint or eye-recognition scanners as highly secure entry barriers, some question; “can they too be vulnerable to hacking?”Timo Hirvone’s response to these questions “More important than a single technical or mechanical solution is the fact that it is implemented in a secure manner” is one answer.
Report compiled by in2ition
|
|
|
|
